How can I retrieve and restore a deleted user account in Active Directory?

Fortunately, Active Directory (AD) has a feature for restoring accidentally deleted user accounts. The problem in AD is not only bringing the lost account back to life, but also returning the account to its old group. The fix for restoring accounts is also tied with the fix for repairing and bringing back inadvertently deleted groups and objects. This is because accounts are often lost in bulk due to an erroneously deleted object holding multiple accounts. This tip examines how to use this Active Directory security feature.

First, as a preventative measure, Microsoft recommends taking steps to prevent administrators from being able to delete objects in bulk. They recommend using the ADSIEdit, LDP or DSACLS command-line tools to set the access control entry (ACE) to "deny" on the security descriptor of every object and its parent.

    Requires Free Membership to View

Barring that, Microsoft recommends three ways to restore deleted users. The first is to restore the accounts using the Ntdsutil command-line tool, which is only available on Microsoft Windows Server 2003 with Service Pack 1, and then adding them to their groups. The second, without the tool, is to use the most current system state backup of the global catalogue in the user's domain controller. This of course, has to be done before the current global catalogue has replicated and overwritten the backup.

The third method is to restore both the deleted user and his or her security groups twice. Microsoft says the process has to be repeated to repair group membership information, which may not be fully restored in one go around.

There are also other manual restoration methods in the Microsoft Knowledge Base at KB 840001. The article is an excellent reference with details and step-by-step instructions on how to restore Active Directory accounts.

This was first published in February 2009

There are Comments. Add yours.

TIP: Want to include a code block in your comment? Use <pre> or <code> tags around the desired text. Ex: <code>insert code</code>

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
Sort by: OldestNewest

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to:

Disclaimer: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.